Stan Hoeppner put forth on 1/22/2010 1:28 AM:
> I've wondered for a couple of months why my rbl check is being skipped.  I've
> not seen a spamhaus entry in my logs since Sept 25 '09.  Interestingly, 
> postgrey
> is being called now and then, and it is after the rbl check in  Any
> idea why my rbl check is being skipped?  What have I screwed up to cause this?

Bad form replying to my own post but...

After a hint from Ralf, I started digging around and here is what I found:

1.  Spamhaus has banned Google Public DNS resolver queries.  I didn't know this
until today.  If Postfix is using Google Public DNS resolvers, rbl queries to fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about
it.  Not the query attempt, not the failure, zilch, nut'n.  This explains why I
haven't seen any zen entries in my log since Sept 25 last year, apparently the
day I switched to Google DNS resolvers.  A total lack of log entries makes
troubleshooting anything very difficult.  Thanks to Ralf's off list suggestion,
I was able to start troubleshooting down the correct path.

2.  For other dns resolvers that Spamhaus doesn't like, such as a few under the
CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such 

Jan 22 05:27:53 greer postfix/smtpd[19251]: warning: RBL lookup error: Host or domain name not found.
Name service error for type=A: Host not
found, try again

3.  Sometime between my switch to the Google resolvers and today, Spamhaus
decided to ban my previous Embarq resolvers.  So, when I switched back to the
old ones, I got errors like that above, and my zen queries still failed.  I dug
around through some very old paperwork and found a set of old Sprint resolvers
in Kansas City I'd never actually used which aren't banned by Spamhaus.  Turns
out this is probably a good thing since the resolvers I found that work are also
closest physically and electrically, the primary being 4 hops and 35ms away, the
secondary 7 hops and 40ms away.

I'm glad I got this solved.  I really wish that when I was using the Google
resolvers that Postfix would have been logging some kind of errors.  If it had,
I'd have known I had a real problem much sooner.  The total lack of log entries
for ~3 months is what finally jolted me to look into this.  This is a sad state
of affairs.  So the question at this point is, why didn't Postfix log any errors
when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned?


Reply via email to